I now researched quite some time to understand OAuth 1.0a, OAuth 2.0 and OpenID Connect. I read their RFCs/Specs and still have one question regarding Google and their Authorization Code Grant on mobile.
OAuth 2.0 states in chapter 4.1.3:
The authorization server MUST require client authentication for confidential clients [...]
My Question:
How can Google ensure it's client authentication for a mobile client?
Thanks,
Dominik
Related
Implementing SSO in my application and from app-1 i need to make a rest call to app-2. Login in app-1 with SAML and authenticated successfully and trying for rest call from app-1 with openid but since authentication is using saml only so not able to get the access/bearer token. Please help how to get the access/bearer token from saml request/response. I'm using Keycloak Server for SSO implementation.
You can't.
REST API need a JWT token not a SAML one.
Change SAML to OpenID Connect and it will work.
(1) OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
(2) Presently there is no IETF draft document regarding SAML 2.0 Profile for OpenID Connect client.
We can refer to the IETF draft document SAML 2.0 Profile for OAuth 2.0 client.
The OAuth 2.0 Access Token using SAML Assertion filter enables an OAuth client to request an access token using a SAML assertion. This supports the OAuth 2.0 SAML flow, which is used when a client wishes to utilize an existing trust relationship, expressed through the semantics of the SAML assertion, without a direct user approval step at the authorization server. For more details on supported OAuth flows, see API Gateway OAuth 2.0 authentication flows.
(3) Both Auth0 and open-source WSO2 Identity Server implement the SAML profile for OpenID Connect/OAuth to convert SAML token to OpenID Connect/OAuth token, as demonstrated by Auth0 SAML Configuration and WSO2 Adding and Configuring an Identity Provider. In other words, Auth0 and WSO2 Identity Server can relay SAML authentication provided by SAML IdP to either OpenID Connect client or OAuth 2.0 client.
I am new to security domain, so don't know whether this question is valid to be asked here. I am currently using OpenAM for the security of my web application with J2ee agent, now I find that OpenAM can do authorization with OAUTH as well as on the basis policies defined, now both openam and oauth develops tokens for valid users, and do not share user credential with the application, so how different are the two? My second question is if my application does not support oauth like google and facebook what basic things I need to do to implement oauth into my application.
OpenAM supports OAuth based authorization if that is what your confusion is about. It also supports
1) OpenID Connect
2) SAML
Your application can use either of these to get authorization from OpenAM. Your application can also use the REST APIs for this purpose. The choice is yours.
As far as the tokens go, OAuth tokens are different from OpenAM Tokens. OAuth tokens include
1) refresh_token
2) access_token
The access_token is used for making oauth based calls. However, OpenAM tokens are basically what is there in the cookie or what you get via the REST API.
Regarding your second question, to support OAuth, you would need to use a oauth client library and enable oauth on the server side (in this case OpenAM). This client library would be dependent on the language you choose to write this application.
Is it possible to get a Twitter access token with OAuth 2.0? I came along this thread but I don't understand it. Do they support OAuth 2.0 or are they still using OAuth 1.0A?
Quoting from this page:
Twitter offers applications the ability to issue authenticated
requests on behalf of the application itself (as opposed to on behalf
of a specific user). Twitter's implementation is based on the Client
Credentials Grant flow of the OAuth 2 specification. Note that OAuth
1.0a is still required to issue requests on behalf of users.
Therefore, no they do not fully support OAuth 2.
After some rudimentary testing I've gotten CAS to work with the Authorization Code Grant. This seems to be the only grant mentioned in the documentation. Does CAS support other grants outlined in the OAuth2.0 draft 2-31 section 4.3? What are the service endpoints?
I'm the creator of the OAuth server support for CAS and so far, it only supports the authorization code grant which matches pretty well with the CAS webflow...
SalesForce.com Rest API Authentication. Will it allow 2-legged oauth transaction
Yes it does allow 2-legged authentication, although Salesforce docs say that it isn't recommended. It's described in detail here:
https://help.salesforce.com/articleView?id=remoteaccess_oauth_username_password_flow.htm&type=5
From using it I know it always redirects you to salesforce to login and authorise the application, which if I have my terminology right is 3-legged oAuth, so at this point in time I'd say it doesn't support that.
THere's some good information on oAuth and Salesforce here.
Here is the actual support page for Salesforce 2 legged Oauth:
https://help.salesforce.com/articleView?id=remoteaccess_oauth_jwt_flow.htm&type=5
Contrary to another answer it is recommended and supported as long as you use the above method.
aka:
OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration